This topic describes the network architecture of Elastic Desktop Service (EDS) to help you build a network environment based on your business requirements.
Networking
Virtual private clouds (VPCs) are logically isolated private networks in the cloud.
The following figure shows how networks, such as management VPCs, desktop service
VPCs, and workspace VPCs, are connected in the EDS network architecture. Alibaba Cloud
maintains all preceding VPCs. Management VPCs and desktop service VPCs are used to
deploy management components and desktop resources. Workspace VPCs are secure office
networks that are created by the system based on the IPv4 CIDR blocks that you specify
when you create workspaces. 
The following section describe the networking rules in EDS:
- A workspace VPC is used to isolate networks of a cloud desktop. When you create a
workspace, you must specify an IPv4 CIDR block, a connection method, and an account
system type.
- The system creates a workspace VPC based on the IPv4 CIDR block that you specify.
Alibaba Cloud maintains the VPC. The workspace VPC is used by all cloud desktops that
are created in the workspace. The system assigns IP addresses from the specified IPv4
CIDR block to the cloud desktops. For more information about how to plan a CIDR block
of a workspace, see CIDR block planning.
Important If you want to attach the workspace VPC to a Cloud Enterprise Network (CEN) instance, make sure that the CIDR block of the workspace VPC and the CIDR block of the CEN instance do not overlap. If your business scenario requires CIDR blocks to meet specific requirements, submit a ticket.
- The connection method of a workspace determines how Alibaba Cloud Workspace clients
connect to cloud desktop in the workspace. Connection methods include Internet, VPC, and Internet and VPC.
If you select Internet as the connection method, make sure that the clients can access the Internet. If you want to use VPC as the connection method, make sure that connectivity is enabled between on-premises and off-premises networks. For more information, see Client connection methods.
- Workspaces are classified into the following types: workspaces of the convenience account type and workspaces of the enterprise Active Directory (AD) account type. The AD system of an enterprise must be connected to a workspace of the enterprise AD account type. Make sure that the workspace VPC and the network to which the enterprise AD system belongs are connected.
Note To enable connectivity between on-premises and off-premises networks, use Express Connect, Smart Access Gateway, or VPN Gateway based on your business requirements. - The system creates a workspace VPC based on the IPv4 CIDR block that you specify.
Alibaba Cloud maintains the VPC. The workspace VPC is used by all cloud desktops that
are created in the workspace. The system assigns IP addresses from the specified IPv4
CIDR block to the cloud desktops. For more information about how to plan a CIDR block
of a workspace, see CIDR block planning.
- Each cloud desktop uses two network interface controllers (NICs): eth0 and eth1. eth0
is an internal NIC that is used to manage traffic between clients and cloud desktops.
IP addresses of eth0 are assigned by EDS. eth1 is a common NIC that is used to access
resources over a VPC or the Internet. IP addresses of eth1 are assigned by the system
from the CIDR blocks of a workspace VPC. After eth1 is attached, cloud desktops in
a workspace can communicate with each other or connect to CEN.
- By default, cloud desktops cannot access the Internet. If you want cloud desktops to access the Internet, enable Internet access for the workspace to which the cloud desktops belong. For more information, see Manage Internet access.
- By default, cloud desktops in the same workspace cannot communicate with each other. If you want to enable communication between the cloud desktops, modify the settings of the workspace after the workspace is created.
- By default, cloud desktops in different workspaces cannot communicate with each other. If you want to enable communication between the cloud desktops, attach the workspace VPCs of the cloud desktops to the same CEN instance. For more information, see Attach a workspace VPC to or detach a workspace VPC from a CEN instance.
Client connection methods
The client can connect to cloud desktops over the Internet or Alibaba Cloud VPC. The
client connects to cloud desktops based on the connection method of a workspace.
- Connection over the Internet
If you want to connect the client to cloud desktops over the Internet, make sure that the client can access the Internet.
- Connection over a VPC
If you want to connect the client to cloud desktops over a VPC, make sure that connectivity is enabled between on-premises and off-premises networks by using Express Connect, Smart Access Gateway, or VPN Gateway. The following section describes examples:
- If you use VPN Gateway, you must create a VPC as the user VPC, attach the workspace VPC and the user VPC to the same CEN instance, and then configure a VPN gateway. In this example, SSL-VPN is used to enable network connectivity. For more information, see Use SSL-VPN to access cloud desktops from an EDS client over private networks.
- If you use Smart Access Gateway, you must create a Cloud Connect Network (CCN) instance, attach the workspace VPC and the CCN instance to the CEN instance, and then configure Smart Access Gateway to bind the CCN instance. In this example, SAG app is used as an example to enable network connectivity. For more information, see Use the SAG app to access cloud desktops from an EDS client over private networks.
Note Alibaba Cloud PrivateLink is used to connect VPCs. This service is free of charge and allows VPCs to connect to Alibaba Cloud services in a secure and stable manner. If you set Connection Method to VPC or Internet and VPC, PrivateLink is activated.